Hi, I would like to have some help for perform a network isolation using rtable, to use tor without network leak. I use -current. The host is a workstation (no forwarding set in sysctl).
The purpose is to have dedicate rtable where "program that should use tor" live (route -T 1 exec ...), and with the only access to network is throught tor socks server, accessible in this rtable. I use the tor package as-it in ports (socks server listening to 127.0.0.1:9050, in rdomain 0). I have created a loopback device in rdomain 1. --- BEGIN /etc/hostname.lo1 --- rdomain 1 inet 127.0.0.1 up --- END /etc/hostname.lo1 --- Program is started in rtable 1 with something like: $ route -T 1 exec chrome --proxy-server="socks5://127.0.0.1:9050" Now I should redirect all access to tcp://127.0.0.1:9050 in rdomain 1 to tcp://127.0.0.1:9050 in rdomain 0. There are many possibilities to achieve this goal. pf rules set (all my rules) [that works]: block drop in log quick on ! lo0 proto tcp from any to any port 6000:6010 match in on lo1 proto tcp to 127.0.0.1 port 9050 rdr-to 127.0.0.1 rtable 0 match out on lo0 proto tcp to 127.0.0.1 port 9050 nat-to lo0 pass all Currently I'm not fully agreed with these rules, as it not permit me to keep disabled pf on lo devices (no more "set skip lo"), or at least on lo0. I think it should be possible to do redirect in userland with nc(1) (something like "nc -V 1 -l 9050 | nc 127.0.0.1 9050") or socat(1) There are also inetd(8), but it should listen on rtable 1 for one service. Does it is possible without new instance ? Or relayd(8)... So how to elegantly perform redirect in level 3 between rdomain ? (the term "elegantly" is unusual, but I think it is understandable... perhaps "best practice" is more common) Thanks -- Sébastien Marie
